When the client is serving as a proxy for an STS in the Requestor STS role described in [MS-MWBF], the client MUST emit an <LsRequestSecurityToken> request message after it authenticates a new web browser requestor requesting a security token using the protocol described in [MS-MWBF]. A new web browser requestor is a web browser requestor that does not present an [RFC2965] session cookie issued by the STS with its security token request.

If a session cookie is presented by the web browser requestor, the client MAY emit an <LsRequestSecurityToken> request message or an <LsRequestSecurityTokenWithCookie> request message, given that no token has been posted in the wresult parameter described by [MS-MWBF].<3>